Best practices for queries used in log alerts rules

Queries can start with either a table name like “search” or “union *” operators. These commands are useful during data exploration and for searching terms over the entire data model. However, these operators are not efficient for productization in alerts. Log alerts rules queries in Log Analytics and Application Insights should always start with table(s), this is to define a clear scope for the query execution to specific table(s). It also improves both query performance and relevance of the results. You can learn more by visiting our documentation, “Query best practices.”

Note that using cross-resource queries in log alerts rules is not considered inefficient although “union” operator is used. The “union” in cross-resource queries is scoped to specific resources and tables as shown in this example, while the query scope for “union *” is the entire data model.

PowerShell

1

2

3

4

5

6

7

Union

app('Contoso-app1').requests,

app('Contoso-app2').requests,

workspace('Contoso-workspace1').Perf

After data exploration and query authoring, you may want to create a log alert using that query. These examples show how you can modify queries and avoid “search” and “union *” commands.

Last April, we introduced theMicrosoft Intelligent Security Associationa group of 19 security technology providers who have integrated their solutions with a select set of Microsoft products to provide…